Electronic key management device, electronic key management system, electronic key management method, and storage medium

ABSTRACT

An electronic key management device includes a generator ( 152, 153 ) configured to generate at least one of a first execution key and a second execution key for obtaining a permission for transiting to a registration mode for registering an electronic key of a vehicle in an in-vehicle authentication device or to an invalidation mode for invalidating the electronic key registered in the in-vehicle authentication device, in response to a predetermined request, and a communication controller ( 154 ) configured to transmit the first execution key generated by the generator to a first terminal device, and transmit the second execution key generated by the generator to a second terminal device that is a terminal device different from the first terminal device and is registered in advance as a terminal device of an authorized owner.

CROSS-REFERENCE TO RELATED APPLICATION

Priority is claimed on Japanese Patent Application No. 2018-053420,filed Mar. 20, 2018, the content of which is incorporated herein byreference.

BACKGROUND Field of the Invention

The present invention relates to an electronic key management device, anelectronic key management system, an electronic key management method,and a storage medium.

Description of Related Art

In recent years, electronic keys have become widespread as vehicle keys.An electronic key and a vehicle are associated with each other inadvance by an immobilizer mounted on the vehicle. For example, theassociation between a vehicle and an electronic key is performed at adealer store when the vehicle is delivered or when the electronic key islost. In the dealer store, a diagnostic machine connected to theimmobilizer through a cable is prepared, and in a case where necessaryinformation is input from the diagnostic machine, an operation mode ofthe immobilizer is switched to a registration mode in which theassociation between the vehicle and the electronic key is able to beexecuted. The immobilizer that is executing the registration modereceives unique key information from the electronic key, and thus thevehicle and the electronic key are associated with each other.

In relation to this, a technology in which a center manages informationnecessary for switching to a registration mode, and after a diagnosticmachine executes a predetermined process with the center, the diagnosticmachine receives the information necessary for switching to theregistration mode from the center is known (for example, refer toJapanese Patent No. 5257814).

SUMMARY

However, in the related art, there was a case where a diagnostic machineis connected to a vehicle without permission by a malicious third party,a predetermined process is executed with a center using the diagnosticmachine, and a mode is illegally switched to a registration mode. Forexample, a method for invalidating original key information of anauthorized owner and registering another new key information (aso-called immobilizer-cutter) becomes a problem. With such a method,there was a problem that an electronic key prepared by this third partyis associated with the vehicle and security of the vehicle isdeteriorated.

An aspect of the present invention has been made in consideration ofsuch a circumstance, and an object of the present invention is toprovide an electronic key management device, an electronic keymanagement system, an electronic key management method, and a storagemedium that improve security of a vehicle.

An electronic key management device, an electronic key managementsystem, an electronic key management method, and a storage mediumaccording to the present invention adopt the following constitutions.

(1): An electronic key management device according to an aspect of thepresent invention includes a generator configured to generate at leastone of a first execution key and a second execution key for obtaining apermission for transiting to a registration mode for registering anelectronic key of a vehicle in an in-vehicle authentication device or toan invalidation mode for invalidating the electronic key registered inthe in-vehicle authentication device, in response to a predeterminedrequest, and a communication controller configured to transmit the firstexecution key generated by the generator to a first terminal device, andtransmit the second execution key generated by the generator to a secondterminal device that is a terminal device different from the firstterminal device and is registered in advance as a terminal device of anauthorized owner.

(2): In the aspect of (1), the generator generates an execution keyrelated to the first execution key and the second execution key based onat least one of information on the vehicle or information on aregistration date, and the communication controller transmits theexecution key to the in-vehicle authentication device.

(3): In the aspect of (1), the generator generates an execution keybased on at least one of information on the vehicle or information on aregistration date, and divides the execution key to generate the firstexecution key and the second execution key.

(4): In the aspect of (2), the communication controller transmits theexecution key generated by the generator to the in-vehicleauthentication device that has transmitted the execution request of theregistration mode or the invalidation mode.

(5): In the aspect of (1), the communication controller transmitsinformation indicating a sequence when connecting the first executionkey and the second execution key, to at least one of the first terminaldevice and the second terminal device.

(6): An electronic key management system according to an aspect of thepresent invention includes the electronic key management device of theaspect of (1), and the in-vehicle authentication device configured toperform authentication based on the first execution key and the secondexecution key in a case where the first execution key and the secondexecution key are input, and execute the registration mode or theinvalidation mode in a case where the authentication is successful.

(7): An electronic key management system according to an aspect of thepresent invention includes the electronic key management device of theaspect of (3), and the in-vehicle authentication device configured todetermine whether or not information based on the first execution keyand the second execution key matches the execution key in a case wherethe execution key, the first execution key, and the second execution keyare input, and determine that authentication is successful in a casewhere both of the information based on the first execution key and thesecond execution key matches the execution key.

(8): An electronic key management method according to an aspect of thepresent invention causes a computer to generate at least one of a firstexecution key and a second execution key for obtaining a permission fortransiting to a registration mode for registering an electronic key of avehicle in an in-vehicle authentication device or to an invalidationmode for invalidating the electronic key registered in the in-vehicleauthentication device, in response to a predetermined request, transmitthe generated first execution key to a first terminal device, andtransmit the generated second execution key to a second terminal devicethat is a terminal device different from the first terminal device andis registered in advance as a terminal device of an authorized owner.

(9): A computer-readable non-transitory storage medium storing a programaccording to an aspect of the present invention causes a computer togenerate at least one of a first execution key and a second executionkey for obtaining a permission for transiting to a registration mode forregistering an electronic key of a vehicle in an in-vehicleauthentication device or to an invalidation mode for invalidating theelectronic key registered in the in-vehicle authentication device, inresponse to a predetermined request, transmit the generated firstexecution key to a first terminal device, and transmit the generatedsecond execution key to a second terminal device that is a terminaldevice different from the first terminal device and is registered inadvance as a terminal device of an authorized owner.

According to the aspects (1) to (9), it is possible to improve securityof a vehicle.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a constitution diagram of an electronic key management systemaccording to an embodiment.

FIG. 2 is a constitution diagram of a diagnostic machine.

FIG. 3 is a constitution diagram of a management server.

FIG. 4 is a diagram showing an example of details of address managementinformation.

FIG. 5 is a constitution diagram of an immobilizer.

FIG. 6 is a sequence diagram showing a flow of a process by theelectronic key management system.

FIG. 7 is a diagram showing an example of an execution key input screen.

FIG. 8 is a diagram showing an example of the execution key inputscreen.

DESCRIPTION OF EMBODIMENTS

Hereinafter, embodiments of an electronic key management device, anelectronic key management system, an electronic key management method,and a storage device of the present invention will be described withreference to the drawings.

[Overall Constitution]

FIG. 1 is a constitution diagram of an electronic key management system1 according to an embodiment. The electronic key management system 1includes, for example, an electronic key 10, a user terminal 20, adiagnostic machine 30, a dealer terminal 40, a communicator 50, animmobilizer 60, and a management server 100. The user terminal 20, thedealer terminal 40, the communicator 50, and the management server 100communicate with each other using a network NW. The network NW includesa part or all of, for example, a wide area network (WAN), a local areanetwork (LAN), the Internet, a provider device, a wireless base station,a dedicated line, and the like.

The communicator 50 and the immobilizer 60 are mounted in a vehicle 70.The immobilizer 60 is an example of an in-vehicle device (that is, anin-vehicle authentication device) that performs an authenticationprocess. The in-vehicle authentication device may be any device otherthan the immobilizer as long as the device is an in-vehicle deviceperforming the authentication process.

The vehicle 70 is, for example, a vehicle purchased by an authorizedowner A. Registration work and invalidation work of the electronic key10, which will be described below, are performed, for example, in adealer store at a time of delivery, a time of additional registration,or a time of registration deletion. The time of additional registrationis a time when a new electronic key is registered when an electronic keyis lost or a time when a new electronic key of a second key or a keyafter the second key is registered, or the like. At the time ofregistration deletion is a time when a lost electronic key is deletedfrom registration, or the like. In the following, these will bedescribed without distinction. Hereinafter, an example in which theregistration work and the invalidation work are performed by asalesperson B at a dealer store will be described.

The electronic key 10 is an electronic key prepared for registration inthe vehicle 70. In the electronic key 10, key information is stored in astorage provided therein. The key information is, for example,identification information for identifying the electronic key 10. Theelectronic key 10 is provided with a predetermined switch, and the keyinformation stored in the storage of the electronic key 10 istransmitted by operating the switch.

The user terminal 20 is a terminal device used by the authorized ownerA. The user terminal 20 is, for example, a tablet terminal, asmartphone, a personal digital assistant (PDA), a laptop computer, orthe like.

For example, the diagnostic machine 30 diagnoses a failure or the likeof the vehicle in a state in which the diagnostic machine 30 isconnected to the immobilizer 60 using a dedicated wired cable. When thediagnostic machine 30 is connected to the immobilizer 60, the diagnosticmachine 30 may be connected to the immobilizer 60 indirectly throughanother ECU or directly. In the embodiment, the diagnostic machine isused as a tool for causing the immobilizer 60 to execute a predeterminedmode.

The dealer terminal 40 is a terminal device used by the salesperson B ofthe dealer store. The dealer terminal 40 is, for example, a desktopcomputer or a notebook computer installed in the dealer store, and maybe a tablet terminal, a smartphone, a PDA, or the like.

The communicator 50 is, for example, a wireless communication module forconnecting to the network NW through a cellular network or a Wi-Finetwork. The communicator 50 is connected to the immobilizer 60, andoutputs information received from an external device such as themanagement server 100 to the immobilizer 60.

The immobilizer 60 stores the key information of the electronic keyregistered by the registration process of the electronic key 10 in thestorage (described later), and collates the key information with theelectronic key 10. Specifically, the immobilizer 60 collates theregistered key information with the key information received from theelectronic key 10, and determines whether or not the registered keyinformation and the key information received from the electronic key 10match. In a case where it is determined that the key informationreceived from the electronic key 10 matches the key information storedin the storage by the determination process (in a case where theelectronic key 10 is authenticated as an authorized key, that is, in acase where the authentication is successful), the immobilizer 60 permitsa predetermined operation such as locking or releasing a door of thevehicle 70, starting an engine of the vehicle 70, and the like. On theother hand, the authentication is not successful with the keyinformation received from the electronic key 10 that is not registered.In this case, the immobilizer 60 does not permit the predeterminedoperation.

The management server 100 issues an execution key that is input to thediagnostic machine 30 by the salesperson B in the registration processor the invalidation process of the electronic key 10, which will bedescribed below. The execution key is information for obtainingpermission to transition to the registration mode or the invalidationmode. The registration mode is a mode in which the electronic key 10 isregistered in the immobilizer 60 as an electronic key dedicated to thevehicle 70. The invalidation mode is a mode in which the electronic keyregistered in the immobilizer 60 as the electronic key dedicated to thevehicle 70 is invalidated. The salesperson B of the dealer storeperforms the association between the electronic key 10 and the vehicle70 after switching the immobilizer 60 to the registration mode usinginformation based on this execution key (which will be described indetail later). The salesperson B of the dealer store cancels theassociation between the electronic key 10 and the vehicle 70 afterswitching the immobilizer 60 to the invalidation mode using theinformation based on the execution key.

[Diagnostic Machine 30]

FIG. 2 is a constitution diagram of the diagnostic machine 30. As shownin FIG. 2, the diagnostic machine 30 includes a connector 31, aninputter 32, a display 33, a storage 34, a controller 35, and acommunicator 36. The connector 31 is a connector to which a wired cableis connected. The connector 31 is connected to the immobilizer 60through a wired cable. The inputter 32 is various keys, buttons, or thelike. The display 33 is a liquid crystal display (LCD) or the like. Thestorage 34 is realized by a random access memory (RAM), a read onlymemory (ROM), a flash memory, or the like. For example, the controller35 communicates with the immobilizer 60 on the basis of the informationinput by the salesperson B using the inputter 32 and executes apredetermined process on the basis of the information received from theimmobilizer 60. The communicator 36 is, for example, a wirelesscommunication module (communication machine) for connecting to thenetwork NW through a cellular network or a Wi-Fi network.

[Management Server 100]

Before the immobilizer 60, description of the management server 100 willbe given first. FIG. 3 is a constitution diagram of the managementserver 100. As shown in FIG. 3, the management server 100 includes acommunicator 110, a storage 130, and a controller 150. For example, thecommunicator 110 includes a communication interface such as a networkinterface card (NIC). The storage 130 is a flash memory such as a RAM, aROM, a solid state drive (SSD), a hard disk drive (HDD), or the like.For example, the storage 130 stores information such as addressmanagement information 131 and execution key generation information 132.The execution key generation information 132 is information necessaryfor generating an execution key. For example, the execution keygeneration information 132 includes an arithmetic expression, a program,and the like for deriving the execution key on the basis of the inputinformation.

FIG. 4 is a diagram showing an example of details of the addressmanagement information 131. As shown in FIG. 4, the address managementinformation 131 is, for example, information in which a dealer mailaddress, a user mail address, and an execution key are associated with avehicle body number. The vehicle body number is identificationinformation for identifying each vehicle 70, and is, for example, anumber displayed on a number plate attached (or planned to be attached)to the vehicle 70. The dealer mail address is a mail address capable ofreceiving a mail by the dealer terminal 40. The user mail address is amail address capable of receiving a mail by the user terminal 20. Theexecution key is, for example, an execution key generated by themanagement server 100 on the basis of a corresponding vehicle bodynumber or the like. The dealer mail address and the user mail addressare examples of addresses when transmitting information to the dealerterminal 40 and the user terminal 20, and are not particularly limitedto the mail addresses as long as the execution key is able to betransmitted and received.

The controller 150 includes, for example, a register 151, an executionkey generator 152, a divider 153, and a communication controller 154.Such constitutions are realized, for example, by a hardware processorsuch as a central processing unit (CPU) executing a program (software).A combination of the execution key generator 152 and the divider 153 isan example of a “generator”. The program may be stored in a storagedevice such as an HDD or a flash memory of the management server 100 inadvance, or may be stored in a detachable storage medium such as a DVDor a CD-ROM, the storage medium may be attached to a drive device, andthus the program may be installed in the HDD or the flash memory of themanagement server 100.

The register 151 stores the information in which the dealer mail addressreceived from the dealer terminal 40 is associated with the user mailaddress received from the user terminal 20 in the storage 130 as a partof the address management information 131, in the body number receivedfrom the dealer terminal 40.

For example, the execution key generator 152 generates the execution keyK using the execution key generation information 132 in response to anexecution request from the immobilizer 60. For example, the executionkey generation information 132 generates the execution key K on thebasis of static information such as a vehicle number registered in theaddress management information 131 and dynamic information such as dateand time information of a registration date. The execution key generator152 stores the generated execution key K in the address managementinformation 131 of the storage 130 in association with the correspondingvehicle number.

The divider 153 generates a first execution key K1 and a secondexecution key K2 on the basis of the execution key K generated by theexecution key generator 152. For example, the divider 153 divides anumeric string (which may include characters) of the execution key Kinto two of a first half and a last half, sets a numeric string of thefirst half as the first execution key K1 and a numeric string of thelast half as second execution key K2. The execution key K is, forexample, an 8-digit number pin code. In this case, the divider 153divides the execution key K into 4-digit numbers, sets a first 4-digitas the first execution key K1, and sets a last 4-digit as the secondexecution key K2. The first execution key K1 and the second executionkey K2 may be related to the execution key K and are not limited to thedivided information. For example, the first execution key K1 and thesecond execution key K2 may include a numeric string of the executionkey K and information indicating a method of synthesizing the executionkey K.

The communication controller 154 transmits the execution key K generatedby the execution key generator 152 to the immobilizer 60 that hastransmitted the execution request of the registration mode or theinvalidation mode. Hereinafter, the execution key K transmitted to theimmobilizer 60 will be referred to as an execution key Ki. The executionkey Ki is the same information as the execution key K.

The communication controller 154 transmits the first execution key K1and the second execution key K2 generated by the divider 153 to thedealer terminal 40 and the user terminal 20, respectively. Hereinafter,an example will be described in which the first execution key K1 istransmitted to the dealer terminal 40 and the second execution key K2 istransmitted to the user terminal 20 by the communication controller 154.However, transmission destinations of each piece of information may bereversed. For example, the communication controller 154 reads the dealermail address associated with the execution key K generated by theexecution key generator 152 from the address management information 131,and transmits a mail including the first execution key K1 to the readdealer mail address. The communication controller 154 reads the usermail address associated with the execution key K generated by theexecution key generator 152 from the address management information 131and transmits a mail including the second execution key K2 to the readuser mail address. The dealer terminal 40 or the user terminal 20displays the received first execution key K1 or the second execution keyK2 on its display. The display is referred to by an operator, andhereinafter, an execution key that is input to the inputter 32 by theoperator and input to the immobilizer 60 from the diagnostic machine 30is referred to as an execution key Kt(m). The execution key Kt(m) is,for example, information in which the second execution key K2 issubsequently arranged from the first execution key K1.

[Immobilizer 60]

FIG. 5 is a constitution diagram of the immobilizer 60. As shown in FIG.5, the immobilizer 60 includes a connector 61, a storage 63, and acontroller 65. The connector 61 is a connector to which a wired cable isconnected. The connector 61 is connected to the diagnostic machine 30and the communicator 50 through a wired cable. The storage 63 isrealized by a RAM, a ROM, a flash memory, or the like.

For example, information such as execution key information 63A, keyinformation 63B, and the like are stored in the storage 63. Theexecution key information 63A is information indicating the executionkey Ki received from the management server 100. The key information 63Bis identification information allocated to the electronic key 10registered as the electronic key dedicated to the vehicle 70 (that is,the immobilizer 60) in the registration mode. A plurality of pieces ofkey information may be included in the key information 63B.

The controller 65 includes, for example, an execution key register 65A,an execution key collator 65B, an electronic key register 65C, anelectronic key collator 65D, and an electronic key deleter 65E. Suchconstitutions are realized, for example, by a hardware processor such asa CPU executing a program (software). The program may be stored in astorage device such as an HDD or a flash memory of the immobilizer 60 inadvance, or may be installed in the HDD or the flash memory of theimmobilizer 60 by being stored in a detachable storage medium such as aDVD or a CD-ROM and the storage medium being attached to a drive device.

In a case where the execution request of the registration mode is inputfrom the diagnostic machine 30 or in a case where the execution requestof the invalidation mode is input from the diagnostic machine 30, theexecution key register 65A transmits the input information to themanagement server 100. In a case where the execution key register 65Areceives the execution key from the management server 100, the executionkey register 65A stores the execution key in the storage 63 as theexecution key information 63A.

The execution key collator 65B collates the execution key Kt(m) inputfrom the diagnostic machine 30 with the execution key Ki read from theexecution key information 63A of the storage 63. The execution keycollator 65B determines whether or not the execution key Kt(m) and theexecution key Ki match, and in a case where these two match, theexecution key collator 65B authenticates the execution key Kt(m) inputfrom the diagnostic machine 30 as an authorized key (that is, determinesthat the authentication is successful). On the other hand, in a casewhere it is determined that they do not match by the collation, theexecution key collator 65B does not authenticate the execution key Kt(m)input from the diagnostic machine 30 as the authorized key (that is,determines that the authentication is not successful). The fact that thekeys match each other may include various meaning such as meaning thatcorrect information is able to be obtained in a case where theinformation encrypted using one key is decrypted using the other key, inaddition to meaning that each information indicated by the keys match orparts of each information match. The same applies to the following.

The electronic key register 65C is an execution unit that transitions tothe registration mode and executes a registration process. In a casewhere the execution key Kt(m) input from the diagnostic machine 30 isauthenticated as the authorized key by the execution key collator 65B,the electronic key register 65C executes the registration mode inresponse to the execution request of the registration mode from thediagnostic machine 30. The execution request of the registration modemay be performed before or after the authentication. In a case where thekey information is received from the electronic key 10 during theexecution of the registration mode, the electronic key register 65Cstores the received key information as the key information 63B in thestorage 63, and ends the registration mode.

In a case where the key information is received from the vehicle key 10,the electronic key collator 65D collates the received key informationwith the key information 63B of the storage 63. The electronic keycollator 65D determines whether or not they match by the collation, andin a case where both match, the electronic key collator 65Dauthenticates the key information received from the vehicle key 10 asthe authorized key. In a case where the key information received fromthe vehicle key 10 is authenticated as the authorized key, theelectronic key collator 65D permits a predetermined operation such aslocking or releasing the door of the vehicle 70 or starting the engineof the vehicle 70. On the other hand, in a case where they do not matchby the collation, since the electronic key collator 65D does notauthenticate the key information received from the vehicle key 10 as theauthorized key, the electronic key collator 65D does not permit thepredetermined operation.

The electronic key deleter 65E is an execution unit that transits to theinvalidation mode and executes an invalidation process. In a case wherethe execution key input from the diagnostic machine 30 is authenticatedas the authorized key by the execution key collator 65B, the electronickey deleter 65E executes the invalidation mode in response to theinvalidation request of the registration mode from the diagnosticmachine 30. The execution request of the invalidation mode may beperformed before or after the authentication. In a case where the keyinformation is received from the electronic key 10 during the executionof the invalidation mode, the electronic key deleter 65E determineswhether or not the received key information is stored in the storage 63as the key information 63B. In a case where the key information receivedfrom the electronic key 10 is stored in the storage 63 as the keyinformation 63B, the electronic key deleter 65E deletes the keyinformation received from the electronic key 10 from the storage 63, andends the invalidation mode.

[Sequence Diagram]

FIG. 6 is a sequence diagram showing a flow of a process by theelectronic key management system 1. Hereinafter, a case where theregistration mode is executed will be described. First, the salespersonB operates the dealer terminal 40 to perform work of registering thedealer mail address in the management server 100 (step S11). Therefore,the dealer terminal 40 transmits the input dealer mail address to themanagement server 100 (step S12). The management server 100 stores thereceived dealer mail address in the storage 130 (step S13).

The authorized owner A operates the user terminal 20 to perform work ofregistering the user mail address in the management server 100 (stepS14). Therefore, the user terminal 20 transmits the input user mailaddress to the management server 100 (step S15). The management server100 stores the received user mail address in the storage 130 (step S16).

Next, the salesperson B operates the diagnostic machine 30 to instructstart of the execution of the registration mode (step S21). Here, thesalesperson B inputs the vehicle body number. Upon receiving theinstruction to start the execution of the registration mode, thediagnostic machine 30 outputs the execution request of the registrationmode to the immobilizer 60 together with the vehicle body number (stepS22). In a case where the execution request of the registration mode isinput, the immobilizer 60 transmits the execution request to themanagement server 100 together with the vehicle body number through thecommunicator 50 (step S23). In a case where the management server 100receives the execution request of the registration mode, the managementserver 100 generates the execution key K on the basis of the vehiclebody number, the date and time information, or the like (step S24).Next, the management server 100 divides the generated execution key K togenerate the first execution key K1 and the second execution key K2(step S 25).

The management server 100 transmits the execution key Ki generated instep S24 to the immobilizer 60 through the communicator 50 (step S26).The immobilizer 60 stores the received execution key Ki in the storage63 as the execution key information 63A (step S27).

The management server 100 transmits the first execution key K1 generatedin step S25 to the dealer terminal 40 (step S28). The dealer terminal 40displays the received first execution key K1 on the display of thedealer terminal 40 (step S29). The management server 100 transmits thesecond execution key K2 generated in step S25 to the user terminal 20(step S30). The user terminal 20 displays the received second executionkey K2 on the display of the user terminal 20 (step S31).

Next, the diagnostic machine 30 causes the display 33 to display aninput screen (hereinafter referred to as an execution key input screen)for receiving an input of the execution key (step S41). In the executionkey input screen, an input column of information other than theexecution key and which is necessary for the authentication may beprovided. FIG. 7 is a diagram showing an example of the execution keyinput screen. As shown in FIG. 7, the execution key input screen 37includes an input column 37A of the first execution key, an input column37B of the second execution key, and a collation icon 37C. The inputcolumn 37A of the first execution key and the input column 37B of thesecond execution key are input columns for receiving an input of numbersand letters. For example, the salesperson B operates the inputter 32 ofthe diagnostic machine 30, inputs the first execution key displayed onthe dealer terminal 40 to the input column 37A, inputs the secondexecution key displayed on the user terminal 20 to the input column 37B,and clicks the collation icon 37C. In a case where the collation icon37C is operated, the diagnostic machine 30 collects information input tothe input column 37A of the first execution key and information input tothe input column 37B of the second execution key and outputs thecollected information to the immobilizer 60 (step S42).

Returning to FIG. 6, the immobilizer 60 collates the execution key Kt(m)input from the diagnostic machine 30 and the execution key Ki stored inthe storage 63 in step S27, and determines whether or not they match(step S43). In a case where they do not match, the immobilizer 60outputs information indicating that the authentication has been failedto the diagnostic machine 30 (step S44), and the diagnostic machine 30causes the display 33 to display a screen indicating that theauthentication has been failed on the basis of the input information(step S45).

On the other hand, in a case where they match in step S43, theimmobilizer 60 executes the registration mode (step S46), and outputsthe information indicating that the registration mode is being executed(or the authentication of the execution key is successful) to thediagnostic machine 30 (step S47). The diagnostic machine 30 causes thedisplay 33 to display a screen indicating that the registration mode isbeing executed (or the authentication of the execution key issuccessful) on the basis of the received information (step S48).

In a case where the screen displayed in step S48 is checked, thesalesperson B operates the switch of the vehicle key 10 (step S49). Inresponse to the operation of the salesperson B, the vehicle key 10transmits the key information held by the vehicle key 10 (step S50).Upon receiving the key information from the vehicle key 10, theimmobilizer 60 stores the received key information as the keyinformation 63B in the storage 63 (step S51), and ends the registrationmode (step S52). Next, the immobilizer 60 transmits informationindicating that the key information is registered to the diagnosticmachine 30 (step S53), and the diagnostic machine 30 causes the display33 to display the received information (step S54).

Also in a case where the invalidation mode is executed, the same processas the above-described process is executed. For example, in step S21,since the salesperson B instructs the start of the execution of theinvalidation mode, the execution key for executing the invalidation modeis generated, and the same process as in a case of executing theregistration mode is executed. The immobilizer 60 is able to delete thekey information of the vehicle key 10 from the registration of thededicated electronic key by deleting the key information received fromthe vehicle key 10 from the storage 63 during the execution of theinvalidation mode.

According to the electronic key management device of the presentembodiment described above, the execution key generator 152 thatgenerates the execution key for obtaining permission for transiting tothe registration mode or the invalidation mode, the divider 153 thatgenerates the first execution key and the second execution key on thebasis of the execution key generated by the execution key generator 152,and the communication controller 154 that transmits the first executionkey generated by the divider 153 to the dealer terminal 40 and transmitsthe second execution key generated by the divider 153 to the userterminal 20 are provided. Therefore, the immobilizer 60 is not able toexecute the registration mode or the invalidation mode without thesecond execution key K2 delivered to the authorized owner A. Thus, it ispossible to prevent a problem that the key information of the electronickey 10 is registered in the immobilizer 60 without permission of theauthorized owner and the vehicle 70 is illegally used by using theregistered electronic key 10. As a result, it is possible to improvesecurity of the vehicle.

The embodiment described above can be expressed as follows.

An electronic key management device comprising:

a storage device: and

a hardware processor that executes a program stored in the storagedevice,

wherein the hardware processor executes the program to:

generate at least one of a first execution key and a second executionkey for obtaining a permission for transiting to a registration mode forregistering an electronic key of a vehicle in an in-vehicleauthentication device or to an invalidation mode for invalidating theelectronic key registered in the in-vehicle authentication device, inresponse to a predetermined request;

transmit the generated first execution key to a first terminal device;and

transmit the generated second execution key to a second terminal devicethat is a terminal device different from the first terminal device andis registered in advance as a terminal device of an authorized owner.

Although the embodiment for implementing the present invention has beendescribed above using the embodiment, the present invention is notlimited to the embodiment at all, and various modifications andsubstitutions can be added within the scope not without departing fromthe gist of the present invention.

For example, the execution key input screen 37 is not limited to theexample shown in FIG. 7, and execution key input screen 37 may be ascreen as shown in FIG. 8. FIG. 8 is a diagram showing another exampleof the execution key input screen. As shown in FIG. 8, the execution keyinput screen 38 includes an execution key input column 38A and acollation icon 38C. An input method of the first execution key and thesecond execution key may be described on the execution key input screen38. For example, “after inputting the first execution key, please inputthe second execution key” is described. It is possible to use the inputscreen of the related art as is by using such an execution key inputscreen 38. Similarly, also in a case where the execution key inputscreen 38 is displayed, the diagnostic machine 30 outputs theinformation input to the execution key input column 38A to theimmobilizer 60.

As shown in FIG. 8, in a case where the execution key input screen has aspecification for inputting the first execution key and the secondexecution key in one input column, the communication controller 154 maytransmit information indicating a sequence when connecting the firstexecution key to the second execution key to at least one of the dealerterminal 40 and the user terminal 20. Therefore, even in a case wherethe salesperson B does not notice the input method of the firstexecution key and the second execution key displayed on the executionkey input screen 38, it is possible to correctly input the firstexecution key and the second execution key.

In a case where the invalidation mode is executed, it is also possibleto use the same input screen as the execution key input screen as shownin FIGS. 7 and 8.

The execution key collator 65B may acquire a division method by thedivider 153 and generate the execution key Kt(m) based on theinformation input from the diagnostic machine 30 according to theacquired division method.

The divider 153 may divide the execution key by alternately allocatingthe numeric string of the execution key to the first execution key andthe second execution key in order from the head. For example, in a casewhere the execution key is “12345678”, the divider 153 may divide theexecution key into the first execution key “1357” and the secondexecution key “2468”. Therefore, the execution key collator 65Balternately combines the first execution key and the second executionkey one by one from the head to generate the execution key. In thisexample, division is performed by alternately allocating characters oneby one, but the divider 153 may perform the division by alternatelyallocating two or more characters, or may perform the division byallocating the number different from the number that is allocated oneallocation ago. In the former case, for example, the first execution key“1256” and the second execution key “3478” are allocated, and in thelatter case, for example, the first execution key “1347” and the secondexecution key “2568” are allocated. The execution key collator 65Breceives information indicating the generation method (a method ofgenerating the first execution key and the second execution key on thebasis of the execution key) by the divider 153 from the managementserver 100, and connects the first execution key and the secondexecution key on the basis of the received information.

The communication controller 154 may check the identity of theauthorized owner A and the salesperson B before transmitting theexecution key. For example, the communication controller 154 transmitscheck information, which is for checking whether or not to permit theexecution of the registration process or the invalidation process of theelectronic key 10 with respect to the vehicle 70, to the dealer terminal40 and the user terminal 20. The check information may include thevehicle body number of the vehicle 70, the date and time when therequest is transmitted, and the like. A check screen based on the checkinformation is displayed on the dealer terminal 40 and the user terminal20, and a permission/prohibition button for inputting whether or not topermit the execution of the registration process or the invalidationprocess is displayed on the check screen. The dealer terminal 40 and theuser terminal 20 transmit operation contents for thepermission/prohibition button to the management server 100. In a casewhere the communication controller 154 receives the informationindicating that the permission button is operated from the dealerterminal 40 and the user terminal 20, the communication controller 154transmits the execution key to the immobilizer 60, and transmits thefirst execution key and the second execution key generated by thedivider 153 to the dealer terminal 40 and the user terminal 20,respectively.

The electronic key 10 may be substituted by a card key, the userterminal 20, or the like. In a case of the card key, the immobilizer 60receives the key information from the card key by using a card readerprovided in the vehicle 70. In a case of the user terminal 20, theimmobilizer 60 receives the key information from the user terminal 20 byusing a wireless communication apparatus (for example, Bluetooth(registered trademark) unit) provided in the communicator 50 or thevehicle 70.

While preferred embodiments of the invention have been described andillustrated above, it should be understood that these are exemplary ofthe invention and are not to be considered as limiting. Additions,omissions, substitutions, and other modifications can be made withoutdeparting from the spirit or scope of the present invention.Accordingly, the invention is not to be considered as being limited bythe foregoing description, and is only limited by the scope of theappended claims.

What is claimed is:
 1. An electronic key management device comprising: agenerator configured to generate at least one of a first execution keyand a second execution key for obtaining a permission for transiting toa registration mode for registering an electronic key of a vehicle in anin-vehicle authentication device or to an invalidation mode forinvalidating the electronic key registered in the in-vehicleauthentication device, in response to a predetermined request; and acommunication controller configured to transmit the first execution keygenerated by the generator to a first terminal device, and transmit thesecond execution key generated by the generator to a second terminaldevice that is a terminal device different from the first terminaldevice and is registered in advance as a terminal device of anauthorized owner, wherein the first terminal device and the secondterminal device are distinct from the vehicle and in-vehicleauthentication device.
 2. The electronic key management device of claim1, wherein the generator generates an execution key related to the firstexecution key and the second execution key based on at least one ofinformation on the vehicle or information on a registration date, andthe communication controller transmits the execution key to thein-vehicle authentication device.
 3. The electronic key managementdevice of claim 1, wherein the generator generates an execution keybased on at least one of information on the vehicle or information on aregistration date, and the execution key is a compilation of the firstexecution key and the second execution key.
 4. The electronic keymanagement device of claim 2, wherein the communication controllertransmits the execution key generated by the generator to the in-vehicleauthentication device that has transmitted the execution request of theregistration mode or the invalidation mode.
 5. The electronic keymanagement device of claim 1, wherein the communication controllertransmits information indicating a sequence when connecting the firstexecution key and the second execution key, to at least one of the firstterminal device and the second terminal device.
 6. An electronic keymanagement system comprising: the electronic key management device ofclaim 1; and the in-vehicle authentication device configured to performauthentication based on the first execution key and the second executionkey in a case where the first execution key and the second execution keyare input, and executes the registration mode or the invalidation modein a case where the authentication is successful.
 7. An electronic keymanagement system comprising: the electronic key management device ofclaim 3; and the in-vehicle authentication device configured todetermine whether or not information based on the first execution keyand the second execution key matches the execution key in a case wherethe execution key, the first execution key, and the second execution keyare input, and determine that authentication is successful in a casewhere both of the information based on the first execution key and thesecond execution key matches the execution key.
 8. An electronic keymanagement method that causes a computer to: generate at least one of afirst execution key and a second execution key for obtaining apermission for transiting to a registration mode for registering anelectronic key of a vehicle in an in-vehicle authentication device or toan invalidation mode for invalidating the electronic key registered inthe in-vehicle authentication device, in response to a predeterminedrequest; transmit the generated first execution key to a first terminaldevice; and transmit the generated second execution key to a secondterminal device that is a terminal device different from the firstterminal device and is registered in advance as a terminal device of anauthorized owner, wherein the first terminal device and the secondterminal device are distinct from the vehicle and in-vehicleauthentication device.
 9. A computer-readable non-transitory storagemedium storing a program that causes a computer to: generate at leastone of a first execution key and a second execution key for obtaining apermission for transiting to a registration mode for registering anelectronic key of a vehicle in an in-vehicle authentication device or toan invalidation mode for invalidating the electronic key registered inthe in-vehicle authentication device, in response to a predeterminedrequest; transmit the generated first execution key to a first terminaldevice; and transmit the generated second execution key to a secondterminal device that is a terminal device different from the firstterminal device and is registered in advance as a terminal device of anauthorized owner, wherein the first terminal device and the secondterminal device are distinct from the vehicle and in-vehicleauthentication device.